Question - Annual Third Party AoC chase

Hi after some advice for the best way to do this please.

We have around 13 service providers who come into scope of our PCI DSS certification. We ensure their compliance with PCI DSS by obtaining a copy of their current AoC each year. I cant use the third party section because some of these service providers will already be listed there as part of our supplier review process and may not have an annual review.

So what module would be the best fit to generate an annual task to contact each each service provider - Security Policies, Internal Controls or Compliance Analysis Findings?


You could create an Internal Control called ‘Supplier Reviews’ with it’s own annual review and then add your suppliers in as Maintenance Reviews with their own schedule. That way you could capture the Task, Task Conclusion, Owner etc etc and then attach the evidence. You could also use the Issues section to record any problems with Suppliers as they would be linked to the Internal Control itself.
Just an idea!

1 Like

Agree that it’s a control as it is a solution (something you do). The control should be worded as a review of the vendor’s AOC as opposed to collecting it - if you get it and it’s garbage, that’s something you should probably take note of and escalate at that time.

This control should link to the third party risk related to the vendor as well (which you can leverage as part of your separate vendor risk review). The control should also get linked to the relevant compliance package (i.e. your PCI compliance requirements).

The only other consideration is whether you create one control or thirteen or more controls. There’s a few considerations to think about -

  • One Control
    ** If the control is performed all at the same time and generally done by the same person, one control may make sense.
    **The downside to a single control is that an issue for one vendor’s AOC becomes a show stopper for the entire control. That one vendor that won’t send it to you? Can’t mark your review as complete and all related items (risks/compliance items) will get that incomplete task and/or issue that you assign.
    **Of course, a single control is less overhead to deal with.
    **If you’re trying to execute this review shortly after the release of an AOC for each vendor, it’s highly unlikely (cough) that all your vendors have the same AOC date.

  • Lots of Controls
    **If the control is performed by multiple people and/or you want to granularly track whether vendor A vs B has had their report reviewed, then multiple controls will allow you to do this.
    **Upside here is that one lame vendor won’t tank all the other vendors like a single control would.
    **Upside is that you can schedule the maintenances to occur shortly after the AOC date for each vendor individually.
    **Downside here is the poor GRC person now has lots of control maintenances to complete.

  • How to be even weirder and try something that’s likely not intended to work
    **I suppose you could create a single control with a ton of manually added maintenances - one for each vendor. I’m not sure how well this would work from a recurrences schedule perspective - any thoughts here @sam ?